Monthly Archive: May 2022

The Quotes llama WordPress plugin through 0.7 does not sanitise and escape Quotes, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed. The attack...

The Form Maker by 10Web WordPress plugin before 1.14.12 does not sanitize and escape the Custom Text settings, which could allow high privilege user such as admin to perform Cross-Site Scripting attacks even when...

The Enable SVG WordPress plugin before 1.4.0 does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads Date published...

The StaffList WordPress plugin before 3.1.5 does not properly sanitise and escape a parameter before using it in a SQL statement when searching for Staff in the admin dashboard, leading to an SQL Injection...

The HPB Dashboard WordPress plugin through 1.3.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is...

The VikBooking Hotel Booking Engine & PMS WordPress plugin before 1.5.9 does not escape the current URL before putting it back in a JavaScript context, leading to a Reflected Cross-Site Scripting Date published :...

The WP 2FA WordPress plugin before 2.2.1 does not sanitise and escape a parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting Date published : 2022-05-30 https://wpscan.com/vulnerability/0260d5c0-52a9-44ce-b7be-aff642056d16

The Poll Maker WordPress plugin before 4.0.2 does not sanitise and escape some settings, which could allow high privilege users such as admin to perform Store Cross-Site Scripting attack even when unfiltered_html is disallowed...

The Easy FAQ with Expanding Text WordPress plugin through 3.2.8.3.1 does not sanitise and escape its settings, allowing high privilege users to perform Cross-Site Scripting attacks when unfiltered_html is disallowed Date published : 2022-05-30...

The No Future Posts WordPress plugin through 1.4 does not escape its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks when unfiltered_html is disallowed Date published :...

The Slideshow WordPress plugin through 2.3.1 does not sanitize and escape some of its default slideshow settings, which could allow high-privileged users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html...

The IMDB info box WordPress plugin through 2.0 does not sanitize and escape some of its settings, which could allow high-privileged users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed...

The BannerMan WordPress plugin through 0.2.4 does not sanitize or escape its settings, which could allow high-privileged users to perform Cross-Site Scripting attacks when the unfiltered_html is disallowed (such as in multisite) Date published...

The Content Mask WordPress plugin before 1.8.4.1 does not have authorisation and CSRF checks in various AJAX actions, as well as does not validate the option to be updated to ensure it belongs to...